CVE-2018-20094

Name of the Vulnerable Software and Affected Versions XXL-CONF version 1.6.0

Description The issue is related to a path traversal vulnerability via ../ in the keys parameter, which can be used to download any configuration file. This is associated with ConfController.java and PropUtil.java.

Recommendations For XXL-CONF version 1.6.0, consider restricting access to the keys parameter in the affected API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the ../ sequence in the keys parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.